==OVERVIEW==
Starting in March of this year, a large number of research and education
systems have been compromised using stolen SSH keys. The keys are used
to gain system access as an unprivileged user, and then local kernel
exploits are used to gain administrative access and install a rootkit
and gather more SSH keys. STEAM-CIRT recommends that Linux system
administrators check their machines for signs of compromise using the
details and methods described below.

==DETAILS==
So far, the attacks have concentrated on clustered research machines,
likely due to method of infection using trusted SSH keys most commonly
used in those environments. So far, the following IP addresses are
known to have been used to login by the intruders or to drop the phalanx
rootkit or other tools. System administrators should check their SSH
access logs and any other records for signs of communications with these
machines. Communication with these hosts should be considered highly
suspicious. STEAM-CIRT is also reviewing network flow records and will
notify PSCs if any flows to Purdue hosts are found.

==SOLUTIONS==
A tool exists that will detect suspicious SSH keys and may help
determine if a system has been compromised. It may be downloaded from

***LINK NO LONGER AVAILABLE***

You may want to check any linux machines you have for these common
attack patterns:

- disabling command line history logging with
export HISTFILE=/dev/null
or
unset HISTFILE,

- starting out intrusions with a set of brief noninteractive logins
across multiple candidate systems that scout out the systems,
typically running "id", "w", "uname -a", "mount" and similar, before
choosing a target host and trying to root it

- trying to use nfsshell to get elevated write privileges over NFS

- logging in using "ssh <host> /bin/sh -i" or "ssh <host> /bin/bash -i",
rather than just "ssh <host>".